Click to edit Master title style Security Challenges · CLICK TO EDIT MASTER TITLE STYLE Click to...

Click here to load reader

  • date post

    19-May-2020
  • Category

    Documents

  • view

    2
  • download

    0

Embed Size (px)

Transcript of Click to edit Master title style Security Challenges · CLICK TO EDIT MASTER TITLE STYLE Click to...

  • CLICK TO EDIT MASTER TITLE STYLEClick to edit Master text styles

    9/19/2019 1

    Click to edit Master title style

    1

    Security ChallengesDeveloping a Cybersecurity Framework

    APTAtech: Transportation Technology Conference

    September 15-18, 2019 / Columbus, Ohio

    Alameda-Contra Costa Transit District

    September 16, 2019

    http://myact/

  • Agenda

    • Intro to Alameda-Contra Costa Transit

    • Rapidly Changing Public Transit Domain

    • Assessing the Agency Core Mission and Technology Landscape

    • Actions • Third party audit to identify threat vectors

    • Quick strategy – socialize

    • Identify improvements/upgrades – short + mid + long

    • Define a Roadmap to Get There

    • Framework Adoption

    • Concluding Thoughts

  • AC Transit at a glance

    • Serve 13 cities and 8 unincorporated areas

    • Directly elected Board

    • Alameda and Contra Costa Counties

    • Facilities:3 – Oakland1 – Emeryville1 – Hayward1 – Richmond

    • Service across 3 Bay Area bridgesDumbartonSF–Oakland San Mateo

  • All about numbers

    Daily

    169,000

    Daily service hours

    5,800(weekday)

    16 other bus systems25 BART stations6 Amtrak stations3 ferry terminalsAnnual

    52,300,000

    Paratransit

    771,000(annual)

    RIDERSHIP

    Bus lines

    160

    SERVICE

    Bus stops

    5,500(approximately)

    Annual service miles

    20.4 million

    CONNECT WITH

    Transbay daily

    14,500

  • Public Transit Domain

    • Disruptions => Automation – Electrification – Connectivity

    • 5G is REAL - High-speed and reliable connectivity is expected

    • Media rich applications are becoming norm with real-time video, voice, maps and images

    • Situation awareness is a key requirement for quick decision making

    • Digital Framework to support IoT Connectivity

    Electrification

    Automation

  • ConnectedVehicles

    RidersCities and Counties MPO

    CAD/AVL

    Connected Enterprise

  • Technology Landscape

    Private ad Public

    Clouds

    Servers

    Switches

    Voice Gateways

    Firewalls

    Routers

    Platforms

    Storage

    Origami RISK PMWeb Citrix G2 Solutions DMV EPN Tableau AutoCAD LT NextBUS

    Office365 NICE HASTUS DAILY Apollo Video GIS Zoom Camtasia GFI

    Dragon SQL ELLIPSE Kantech PEOPLESOFT CAD/AVL Xerox

    Desktops Computers

    Laptop Computers

    Mobile

    Tablets

    Smartphones Desk PhonesPush to Talk

    Radios

    Conference Phones

    MiFi UnitsPresentation

    Systems

    Satellite Phones

    TVM/Clipper Machines

    Software Applications

    2300+

    Employees

    1.6M

    Customers

  • Security Landscape

    • Global ransomware damage costs exceeded $5B in 2017 (a 15X increase in two years)

    • Cyber-crime damage costs to hit $6 trillion annually by 2021

    42%IGNORE ALERTSA significant number of security alerts are ignored due to sheer volume. According to 42% of polled cybersecurity professions. **

    24%RESOURCE CONSTRAINED24% of cyber teams do not have the ability to investigate or prioritize security alerts in a timely manner. **

    38%BURNED OUT38% of cyber staff are citing burnout. **

    201DAYSAverage time to detect a breach: 201 days.*

    * Ponemon Institute, 2017 Cost of a Data Breach Study

    ** According to the ISSA & ESG recent research

  • Security Market

    9

    Infrastructure

    Information Management

    CloudData Science

    Compliance

  • Activities

    • Third Party Cybersecurity Audit• External Penetration Testing• Internal Penetration Testing• Security Audit

    • Socialize the Outcome with Key Stakeholders• Quick Plan of Action – Prioritize Risks + Cost + Timelines

    • High Level Roadmap – Tools + People + Process

  • Security Audit

    11

    • Integrated Control Framework• 14 Domains utilized for various risk assessments and

    maturity assessments• National Institute of Standards and Technology (NIST)• International Organization for Standardization (ISO)

    • Capability Maturity Model • Forrester’s IT Service Management Maturity Model• Systems Security Engineering Capability Maturity Model ®

    Leve

    l 0 Nonexistent

    Leve

    l 1 Ad-Hoc

    Leve

    l 2 Repeatable

    Leve

    l 3 Defined

    Leve

    l 4 Measured

    Leve

    l 5 Optimized•Not

    understood

    •Unaware of

    need

    •Occasional

    •Reactive

    •Unplanned

    •Disorganized

    •Planned

    •Consistent

    •Verified

    •Responsive

    •Documented

    •Understood

    •Predictable

    •Collaborated

    •Evaluated

    •Reported

    •Metrics

    •Progressive

    • Improvement

    •Efficient

    •Proactive

    •Automated

  • Understanding Maturity

    IT Security DomainLevel 0

    NonexistentLevel 1Ad-Hoc

    Level 2Repeatable

    Level 3Defined

    Level 4 Measured

    Level 5Optimized

    Third Party Management

    Data Protection

    Employee Management

    Physical Security

    Logical Security

    Threat & Vuln. Management

    Logging & Monitoring

    Sec Config. Management

    Sec Change Management

    Compliance

    Business Continuity

    IT Operations

    Secure SDLC

    Overall Maturity

    Legend

    Current Rating

    Change since 2016

    New rating for 2018

    2016 Rating

    Target Maturity

  • Defining a Framework

    • Understand the Current State of the Cybersecurity Program Holistically

    • Identify Improvements/Upgrades

    • Define a Roadmap to Get There

    • Frame Current Risks

  • Roadmap

    ProcessTechnologyPeopleCybersecurity

    Maturity Assessment

  • Security Operations Center

    Asset Discovery & Inventory

    Vulnerability Assessment

    Intrusion Detection

    Behavioral Monitoring

    SIEM & Log Management

    24x7 Security Operations

  • Adopting a FrameworkCYBERSECURITY DOMAINS

    POLICIES AND

    PROCEDURES

    ❑ Information Security

    Program

    ❑Standard Operating

    Procedures

    ❑Administrative Standards

    ROLES AND

    RESPONSIBILITIES

    ❑Organizational Structure

    ❑ Information Security Officer

    ❑Security Responsibilities

    OVERSIGHT AND STRATEGY

    IT RISK MANAGEMENT

    ❑ IT Risk Definition

    ❑Risk Appetite / Tolerance

    ❑Risk and Control Universe

    ❑Risk Assessment

    ❑Risk Treatment

    ❑Communication Plan

    ❑Risk Monitoring

    DATA PROTECTION

    ❑Encryption

    ❑Data Classification

    ❑Data Protection Technologies

    THREAT AND VULNERABILITY

    MANAGEMENT

    ❑Vulnerability Scanning

    ❑Patch Management

    ❑Anti-Malware Technologies

    PHYSICAL SECURITY

    ❑Standards

    ❑Physical Storage

    ❑Monitoring & Testing

    SECURE DEVELOPMENT

    ❑Secure Development

    Standards

    ❑Secure Development Testing

    LOGICAL SECURITY

    ❑Authentication Standards

    ❑Administrative Access

    ❑Access Management

    ❑Access Review

    ❑Remote Access

    LOGGING AND MONITORING

    ❑Centralization & Aggregation

    ❑Alerts

    ❑Activity Baseline

    IT OPERATIONS

    ❑ IT Asset Management

    ❑Data Flows

    ❑Software Authorization

    IT COMPLIANCE

    ❑PCI Compliance

    ❑Evaluation

    ❑Oversight & Coordination

    EMPLOYEE MANAGEMENT

    ❑Security Awareness

    ❑Human Resources

    ❑Acceptable Use

    SECURITY CONFIGURATION

    MANAGEMENT

    ❑Approved Infrastructure

    ❑Build & Hardening

    Procedures

    ❑Configuration Management

    SECURITY CHANGE

    MANAGEMENT

    ❑Change Management

    ❑Maintenance

    BUSINESS CONTINUITY

    MANAGEMENT

    ❑Business Impact Analysis

    ❑Business Continuity

    Planning

    ❑Disaster Recovery

    ❑Resiliency

    ❑ Incident Response

    THIRD PARTY RISK

    MANAGEMENT

    ❑Vendor Inventory

    ❑Due Diligence &

    Assessment

    ❑Performance Monitoring

    ❑Contractual Terms

    ❑Vendor Access

    CYBERSECURITY

    GOVERNANCE

  • Concluding Thoughts

    • Build a Roadmap based on Risk Priority

    • Parallel Work on People, Process, and Tools

    • Take Security Seriously – But Share the Stress

    • Build It In the Culture

    • Watch your Supply Chain

    • Don’t overlook Physical Security

    • Customize Framework There is no such thing as "perfect protection"